September 15, 2008

MD5 considered primeval

The SF Chronicle talked to me last week about a forensic tool that uses MD5 to ensure its evidence has not been tampered with after collection.

Cellebrite’s Ofrat said that despite the theoretical possibility of hacks to MD5, the likelihood is low. “You’d have to have the best hacker in the world,” he said. But his firm is studying SHA-256 and will move to that if it becomes an industry standard, he said.

I appreciate his humble acknowledgement that anyone who can run a software tool is now “the best hacker in the world”. But perhaps they should move to more secure hash functions like SHA-256 anyway. After all, other forensic software has moved to SHA-256 since at least 2003 after the US government (NIST) standardized on it in 2002. Is that standard enough for Cellebrite?

Related

4 Comments

From the site linked to
“It is important to note that the hash value shared by the two different files is a result of the collision construction process. We cannot target a given hash value, and produce a (meaningful) input bit string hashing to that given value.”

It is not unreasonable to use MD5sums for tamper detection unless someone is able to generated targeted hashs.

Yes, no one has published second pre-image attacks on MD5 yet. However, you can’t seriously be defending its continued use in any modern system.

As for MD5’s use with forensics, all criminals can place the known MD5 colliding “magic string” in their data. Then, if caught, produce a totally innocent set of data that matches the same MD5 sums Cellebrite got. Now there’s reasonable doubt that the evidence could have been tampered with.

MD5 should be retired quickly, even for uses where second pre-image resistance is all that’s needed. Cellebrite’s competitors got the message back in 2003. Why are they trying to ignore this?